The Czech Republic based security software vendor AVG Technologies recently updated its privacy policy. The objective of the changes, according to the company, was to explain in a more transparent manner to their users how it intends to use what it calls ”non-personal information”. The new privacy policy will take effect on 15 October 2015.

The company defines “non-personal data” as data that cannot be linked to the identity of users in any way. The new privacy policy explains that the company might collect and sell this information to third parties, to allow their anti-virus product to stay free or charge to the users. AVG also notes that it might anonymise and aggregate data that could otherwise identify individual users. The text assures that the company does not sell or rent its clients’ personal data to third parties, but the next paragraph warns that certain personal data may be shared with any of their “affiliated AVG companies, search providers, selected AVG resellers, distributors and other partners”.

The changes for the final user are not significant from the previous version of AVG’s privacy policy which stated that the company could collect data on “the words you search”, but did not make it clear whether browser history data could also be collected and sold to third parties.

The reactions to the new privacy policy are diverse. Data protection and IT law expert Orla Lynskey from the London School of Economics welcomed the improved wording, but said that users can be justifiably concerned by the implications to their privacy. “Its privacy policy is written in clear and simple language,” adding that users might expect an anti-virus provider to be “more respectful” of their privacy and data security. Alexander Hanff, security expert and chief executive of Think Privacy, stated that AVG’s potential ability to collect and sell browser and search history data places the company “squarely into the category of spyware”.

AVG’s new privacy policy is on the one hand more transparent than its previous ones that intentionally blurred the line between collecting data for malware tracking and using it for profit, which can be considered as a step in the right direction. On the other hand, by making its privacy policy easier to understand, the company shows more openly how it is collecting and re-selling the data – which is an activity that many would consider unethical for a security software company with elevated privileges to the personal and “non-personal” data of its clients.